The worst thing that organizations can do is take a hard stance with their cybersecurity efforts. The digital threat landscape is constantly evolving. If organizations settle into a viewpoint, they could elevate one source of risk into something unrealistic—all while missing other digital threats.

This reflects just how much assumptions drive cybersecurity-related decisions. Forbes put it this way: “Risk assessment, budgetary needs and priorities are the outcome of hypothetical debates and are subject to internal pressures and politics. Both security professionals and business executives continuously seek solutions or methodologies that will put a $ sign next to their investment, as well as risk.”

Subsequently, it’s not a surprise that there are some open questions in cybersecurity around where organizations can take their strategies in the next few years. Here’s a recap of five open questions that are currently shaping the cybersecurity space and how we are seeing these addressed in the industry.

1. Do Passwords Do More Harm than Good?

Technology firms like Microsoft are abandoning the password for three reasons. First, they’re looking to Single Sign-On (SSO) and other technologies that don’t hamper their workers’ experience and productivity as much as traditional password-based identity protection. Second, passwordless authentication makes it easier for organizations to defend their authorized accounts against brute-forcing, credential stuffing and other attack attempts that rely on guessing weak passwords. Third, organizations are choosing to embrace multi-factor authentication (MFA) and other controls as a way of limiting what a malicious actor could do with a compromised password.

But there are risks involved with implementing passwordless authentication. For instance, fingerprint readers, biometric scanners and other security measures provide new targets that attackers can potentially misuse to access user data. Passwordless authentication also does not exempt organizations and users from phishing attacks, scams and identity theft.

Notwithstanding those risks, passwordless authentication is here to stay. Organizations, therefore, need to understand its associated benefits and risks so that they can best protect their users going forward.

2. Do Firewalls Serve Any Purpose for Zero Trust?

The answer is nuanced. Traditional firewalls can’t protect organizations against threats that infiltrate the network. As such, they can’t help organizations uphold zero trust.

But the same doesn’t apply to next-generation firewalls (NGFWs). These types of firewalls can complement zero trust by functioning as segmentation gateways, multifaceted tools which leverage network access tools, micro-segmentation, web application firewalls and other functionalities to enforce zero trust. Segmentation gateways operate at the center of the network, not at the perimeter. In doing so, they provide insight into data access that infosec teams can use to spot a potential attack before it evolves into a security incident.

3. Can Cyber Ranges Help Organizations?

Demand for cyber ranges increased after organizations shifted to remote/hybrid work in 2020 and following high-profile attacks like the Colonial Pipeline incident. It’s important to keep in mind that not every organization needs a cyber range on a long-term basis. Some just can’t justify the cost of building and maintaining one.

That said, cyber ranges do carry benefits. They provide a means through which organizations can improve the level of coordination and experience of their security teams, for instance. Through cyber ranges, infosec personnel can immerse themselves in real attack scenarios and explore what a live response would entail. Cyber ranges also help organizations to satisfy the compliance standards and mandates established by the National Institute of Standards and Technology (NIST) and other bodies.

Organizations just need to remember that not every cyber range is created equally. With that in mind, they need to figure out which type of cyber range fits their security needs. From there, they can build and maintain a solution that works for them.

4. Is a Traditional Career Path Required for Security Pros?

Not even a little bit. Infosec personnel come from all types of backgrounds such as playing poker online, serving in the military and obtaining music degrees. These experiences have helped to inform security professionals’ work, giving the community fresh perspectives with which they can protect organizations’ systems and data. This is to say that anyone can forge a career in cybersecurity.

5. What Can Developers Do to Ensure Their Organization’s Security?

There’s a lack of cohesion around who’s responsible for security. Many security professionals don’t trust the ability of developers to write secure code, for instance. Meanwhile, developers don’t feel they have the proper guidance to uphold security for their employers.

These viewpoints underscore a lack of clarity around digital defense in the workplace. In a recent survey conducted by GitLab, for instance, about a third of security personnel said that they were responsible for security. Nearly three in 10 participants said everyone in the organization was equally responsible, while 21% said the onus was on developers specifically.

Clearly, something needs to be done. Most developers are releasing software and apps more quickly today than they did just a few years ago. This highlights the opportunity for developers to play a role in contributing to their organization’s security.

The key is for security experts and developers to work together as partners for the purpose of achieving secure code. One of the ways they can do that is to expose the services they provide through a seamless API consumption-based model. Doing so will make it easier for developers to blend security naturally into the software development life cycle.

Additionally, organizations can make sure that they’re providing security awareness training to their developers. These employees won’t be able to function as a full partner in DevSecOps unless they understand the security risks confronting them. With that in mind, organizations need to approach DevSecOps as an opportunity to foster a collaborative and inclusive security culture.

Cybersecurity Is Always Changing

The questions discussed above might not be open or debatable several years from now, but they give something for organizations to consider in the meantime. Fortunately, the security industry is a community. As such, we’ll continue to explore these issues as a community going forward.